[Freeipa-users] Re: FreeIPA and AD

[François Cami via FreeIPA-users]

There is also a lot of documentation on https://access.redhat.com specifically:

"INTEGRATING A LINUX DOMAIN WITH AN ACTIVE DIRECTORY DOMAIN: CROSS-FOREST TRUST"
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust

"USING ID VIEWS IN ACTIVE DIRECTORY ENVIRONMENTS"
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/id-views

Regards,
François

On Thu, Mar 7, 2019 at 8:47 PM John Keates via FreeIPA-users
 wrote:
>
> The documentation on this is pretty good. Basically, you can ’trust’ AD from 
> FreeIPA, which means the users from AD can be used in IPA. Groups too. 
> Passwords must be set and reset in AD, but everything you need for Linux (SSH 
> keys, host rules etc) can be done in IPA.
>
> https://www.freeipa.org/page/Active_Directory_trust_setup
>
> > On 7 Mar 2019, at 18:34, Kristian Petersen via FreeIPA-users 
> >  wrote:
> >
> > Hello,
> >
> > Where I work we are a small shop.  We are currently using just FreeIPA for 
> > authentication and DNS and other Linux management stuff that it does for 
> > us.  We have enough Windows workstations now that it would be really nice 
> > to be able to manage those like we can our Linux stuff.  From what I have 
> > read thus far, it seems that if you use FreeIPA with AD AD is the primary 
> > user store and FreeIPA kind of takes a back seat.  I am looking for some 
> > help in better understanding the implications of using FreeIPA along with 
> > AD.  Is there someone who could help me unravel this a bit or point me at 
> > some good resources?
> >
> > --
> > Kristian Petersen
> > System Administrator
> > BYU Dept. of Chemistry and Biochemistry
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and AD

[John Keates via FreeIPA-users]

The documentation on this is pretty good. Basically, you can ’trust’ AD from 
FreeIPA, which means the users from AD can be used in IPA. Groups too. 
Passwords must be set and reset in AD, but everything you need for Linux (SSH 
keys, host rules etc) can be done in IPA.

https://www.freeipa.org/page/Active_Directory_trust_setup

> On 7 Mar 2019, at 18:34, Kristian Petersen via FreeIPA-users 
>  wrote:
> 
> Hello,
> 
> Where I work we are a small shop.  We are currently using just FreeIPA for 
> authentication and DNS and other Linux management stuff that it does for us.  
> We have enough Windows workstations now that it would be really nice to be 
> able to manage those like we can our Linux stuff.  From what I have read thus 
> far, it seems that if you use FreeIPA with AD AD is the primary user store 
> and FreeIPA kind of takes a back seat.  I am looking for some help in better 
> understanding the implications of using FreeIPA along with AD.  Is there 
> someone who could help me unravel this a bit or point me at some good 
> resources?
> 
> -- 
> Kristian Petersen
> System Administrator
> BYU Dept. of Chemistry and Biochemistry
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and AD

[Ryan via FreeIPA-users]

Whoa …… thanks for this. Now I think I am on the right path now. 

Thanks for the help.

R

> On 12 Sep 2018, at 13:44, Alexander Bokovoy via FreeIPA-users 
>  wrote:
> 
> On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
>> 
>> 
>>> On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users 
>>>  wrote:
>>> 
>>> On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
 Hi, All
 
 Off the bat I would like to say being new to freeIPA and rolling out
 successful deployment to manage our servers has been amazing, very few
 hiccups.
 
 Which brings me to my next question, I have been asked if FreeIPA can
 be uses with Samba4 as a Domain Controller in our environment. After
 much reading its not as simple as it might sound.
 
 In saying that, my question is simple.
 
 How or what would be the best way to keep the AD users and FreeIPA
 users in sync. All I am really looking for is to Auth Users on the new
 Samba4 AD server. Can this be done or not.
>>> It currently cannot be done. Requires functionality not available in
>>> FreeIPA.
>>> 
>> 
>> Yeah thats what I thought, just need to confirm.
>> 
>> What would you suggest the best way to dump users from ldap and the
>> populate samba with users and random passwords? I understand this is
>> out of scope of freeIPA.
> You can use Python bindings to IPA to generate list of user entries in python 
> and
> then feed some properties of that to samba-tool.
> 
> Something like this, using ipa console to simplify use of the API:
> 
> # ipa console
> (Custom IPA interactive Python console)
>   api: IPA API object
>   pp: pretty printer
 result = api.Command.user_find(all=True, raw=True)['result']
 len(result)
> 7
 pp(result)
> ({'cn': ('Alexander Bokovoy',),
> 'displayName': ('Alexander Bokovoy',),
> 'dn': 'uid=ab,cn=users,cn=accounts,dc=example,dc=com',
> 'gecos': ('Alexander Bokovoy',),
> 'gidnumber': ('153601',),
> 'givenname': ('Alexander',),
> 'homedirectory': ('/home/ab',),
> 'initials': ('AB',),
> 'ipaNTHash': (b'some-value',),
> 'ipaNTSecurityIdentifier': ('-1001',),
> 'ipaUniqueID': ('',),
> 'ipaUserAuthType': ('otp',),
> 'krbLastPwdChange': ('2018053544Z',),
> 'krbPasswordExpiration': ('20180829111544Z',),
> 'krbcanonicalname': ('a...@example.com ',),
> 'krbprincipalname': ('a...@example.com ',),
> 'loginshell': ('/bin/sh',),
> 'mail': ('a...@example.com ',),
> 'memberOf': (),
> 'nsaccountlock': ('FALSE',),
> 'objectClass': ('ipaobject',
> 'person',
> 'top',
> 'ipasshuser',
> 'inetorgperson',
> 'organizationalperson',
> 'krbticketpolicyaux',
> 'krbprincipalaux',
> 'inetuser',
> 'posixaccount',
> 'ipaSshGroupOfPubKeys',
> 'mepOriginEntry',
> 'ipantuserattrs',
> 'ipauserauthtypeclass'),
> 'sn': ('Bokovoy',),
> 'uid': ('ab',),
> 'uidnumber': ('153601',)
> 
> },
> 
> )
> 
 for x in filter(lambda x: 'givenname' in x, result):
> ... print("samba-tool user create {uid[0]} t4mp-P-A-S-S-W-O-R-D 
> --given-name={givenname[0]} --surname={sn[0]} 
> --must-change-at-next-login".format(**x))
> ... samba-tool user create ab t4mp-P-A-S-S-W-O-R-D --given-name=Alexander 
> --surname=Bokovoy --must-change-at-next-login
> samba-tool user create mbar t4mp-P-A-S-S-W-O-R-D --given-name=M --surname=Bar 
> --must-change-at-next-login
> samba-tool user create new-user t4mp-P-A-S-S-W-O-R-D --given-name=New 
> --surname=User --must-change-at-next-login
> samba-tool user create a-user t4mp-P-A-S-S-W-O-R-D --given-name=A 
> --surname=User --must-change-at-next-login
> samba-tool user create some-user t4mp-P-A-S-S-W-O-R-D --given-name=Some 
> --surname=User --must-change-at-next-login
> samba-tool user create user-mode t4mp-P-A-S-S-W-O-R-D --given-name=User 
> --surname=Mode --must-change-at-next-login
> 
> 
> -- 
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.f

[Freeipa-users] Re: FreeIPA and AD

[Alexander Bokovoy via FreeIPA-users]

On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:




On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users 
 wrote:

On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:

Hi, All

Off the bat I would like to say being new to freeIPA and rolling out
successful deployment to manage our servers has been amazing, very few
hiccups.

Which brings me to my next question, I have been asked if FreeIPA can
be uses with Samba4 as a Domain Controller in our environment. After
much reading its not as simple as it might sound.

In saying that, my question is simple.

How or what would be the best way to keep the AD users and FreeIPA
users in sync. All I am really looking for is to Auth Users on the new
Samba4 AD server. Can this be done or not.

It currently cannot be done. Requires functionality not available in
FreeIPA.



Yeah thats what I thought, just need to confirm.

What would you suggest the best way to dump users from ldap and the
populate samba with users and random passwords? I understand this is
out of scope of freeIPA.

You can use Python bindings to IPA to generate list of user entries in python 
and
then feed some properties of that to samba-tool.

Something like this, using ipa console to simplify use of the API:

# ipa console
(Custom IPA interactive Python console)
   api: IPA API object
   pp: pretty printer

result = api.Command.user_find(all=True, raw=True)['result']
len(result)

7

pp(result)

({'cn': ('Alexander Bokovoy',),
 'displayName': ('Alexander Bokovoy',),
 'dn': 'uid=ab,cn=users,cn=accounts,dc=example,dc=com',
 'gecos': ('Alexander Bokovoy',),
 'gidnumber': ('153601',),
 'givenname': ('Alexander',),
 'homedirectory': ('/home/ab',),
 'initials': ('AB',),
 'ipaNTHash': (b'some-value',),
 'ipaNTSecurityIdentifier': ('-1001',),
 'ipaUniqueID': ('',),
 'ipaUserAuthType': ('otp',),
 'krbLastPwdChange': ('2018053544Z',),
 'krbPasswordExpiration': ('20180829111544Z',),
 'krbcanonicalname': ('a...@example.com',),
 'krbprincipalname': ('a...@example.com',),
 'loginshell': ('/bin/sh',),
 'mail': ('a...@example.com',),
 'memberOf': (),
 'nsaccountlock': ('FALSE',),
 'objectClass': ('ipaobject',
 'person',
 'top',
 'ipasshuser',
 'inetorgperson',
 'organizationalperson',
 'krbticketpolicyaux',
 'krbprincipalaux',
 'inetuser',
 'posixaccount',
 'ipaSshGroupOfPubKeys',
 'mepOriginEntry',
 'ipantuserattrs',
 'ipauserauthtypeclass'),
 'sn': ('Bokovoy',),
 'uid': ('ab',),
 'uidnumber': ('153601',)
 
 },
 
 )


for x in filter(lambda x: 'givenname' in x, result):

... print("samba-tool user create {uid[0]} t4mp-P-A-S-S-W-O-R-D 
--given-name={givenname[0]} --surname={sn[0]} 
--must-change-at-next-login".format(**x))
... 
samba-tool user create ab t4mp-P-A-S-S-W-O-R-D --given-name=Alexander --surname=Bokovoy --must-change-at-next-login

samba-tool user create mbar t4mp-P-A-S-S-W-O-R-D --given-name=M --surname=Bar 
--must-change-at-next-login
samba-tool user create new-user t4mp-P-A-S-S-W-O-R-D --given-name=New 
--surname=User --must-change-at-next-login
samba-tool user create a-user t4mp-P-A-S-S-W-O-R-D --given-name=A 
--surname=User --must-change-at-next-login
samba-tool user create some-user t4mp-P-A-S-S-W-O-R-D --given-name=Some 
--surname=User --must-change-at-next-login
samba-tool user create user-mode t4mp-P-A-S-S-W-O-R-D --given-name=User 
--surname=Mode --must-change-at-next-login


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and AD

[Ryan via FreeIPA-users]

> On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users 
>  wrote:
> 
> On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
>> Hi, All
>> 
>> Off the bat I would like to say being new to freeIPA and rolling out
>> successful deployment to manage our servers has been amazing, very few
>> hiccups.
>> 
>> Which brings me to my next question, I have been asked if FreeIPA can
>> be uses with Samba4 as a Domain Controller in our environment. After
>> much reading its not as simple as it might sound.
>> 
>> In saying that, my question is simple.
>> 
>> How or what would be the best way to keep the AD users and FreeIPA
>> users in sync. All I am really looking for is to Auth Users on the new
>> Samba4 AD server. Can this be done or not.
> It currently cannot be done. Requires functionality not available in
> FreeIPA.
> 

Yeah thats what I thought, just need to confirm.

What would you suggest the best way to dump users from ldap and the populate 
samba with users and random passwords? I understand this is out of scope of 
freeIPA.

> -- 
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> 
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
> 
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html 
> 
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
> 
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>  
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and AD

[Alexander Bokovoy via FreeIPA-users]

On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:

Hi, All

Off the bat I would like to say being new to freeIPA and rolling out
successful deployment to manage our servers has been amazing, very few
hiccups.

Which brings me to my next question, I have been asked if FreeIPA can
be uses with Samba4 as a Domain Controller in our environment. After
much reading its not as simple as it might sound.

In saying that, my question is simple.

How or what would be the best way to keep the AD users and FreeIPA
users in sync. All I am really looking for is to Auth Users on the new
Samba4 AD server. Can this be done or not.

It currently cannot be done. Requires functionality not available in
FreeIPA.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and AD trust

[Grace Thompson via FreeIPA-users]

I have an open RFE for global catalogs for a while now. Last update for target 
release is 7.5/7.6 timeframe :( 



--  gracie mobile

> On Feb 6, 2018, at 7:25 AM, Alexander Bokovoy via FreeIPA-users 
>  wrote:
> 
> 
> 
> - Original Message -
>> Hi,
>> 
>> Clearly my Google skills are lacking, as I've not been able to find anything
>> definitive (mainly just old versions of IPA)
>> 
>> We have a well used FreeIPA domain, but I have a few appliances and
>> applications that require Active Directory. I can find information about
>> configuring AD to trust freeIPA, but not the other way around. Can we
>> configure our IPA at example.com to be trusted by an AD subdomain at
>> ad.example.com ? And if so, can anyone point me in the right direction?
> Two-way trust can be configured but it will not help you. Windows Clients 
> require Global Catalog service from a trust Active Directory forest to 
> perform user/group lookups which IPA does not provide.
> 
> -- 
> / Alexander Bokovoy
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and AD trust

[Alexander Bokovoy via FreeIPA-users]

- Original Message -
> Hi,
> 
> Clearly my Google skills are lacking, as I've not been able to find anything
> definitive (mainly just old versions of IPA)
> 
> We have a well used FreeIPA domain, but I have a few appliances and
> applications that require Active Directory. I can find information about
> configuring AD to trust freeIPA, but not the other way around. Can we
> configure our IPA at example.com to be trusted by an AD subdomain at
> ad.example.com ? And if so, can anyone point me in the right direction?
Two-way trust can be configured but it will not help you. Windows Clients 
require Global Catalog service from a trust Active Directory forest to perform 
user/group lookups which IPA does not provide.

-- 
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and AD trust

[Boris Sukhinin via FreeIPA-users]

You could probably establish two-way trust between AD and IPA domains. Is seems 
such configuration is supported: 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#trust-one-two-way

-
Boris Sukhinin
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and AD Trust - macOS cannot see AD trust users

[Alexander Bokovoy via FreeIPA-users]

On su, 09 heinä 2017, Louis Abel via FreeIPA-users wrote:

Hello!

I created a FreeIPA (ipa.angelsofclockwork.net) and Active Directory
(ad.angelsofclockwork.net) and put them into a two way trust with
posix. I used these commands:

ipa-adtrust-install --enable-compat --add-agents
ipa trust-add --type=ad ad.angelsofclockwork.net --admin lmabel --password 
--two-way=true --range-type=ipa-ad-trust-posix

The users in AD have posix attributes assigned and those attributes are
in the global catalog. My linux clients can see the AD users when I do
a getent passwd u...@ad.angelsofclockwork.net. So this is working as
intended.

http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12
- I used this guide to add our first mac to FreeIPA rather than AD.
This guide worked for the most part, but I cannot get it to see the
users across the trust boundary. I'm sure I'm either missing something
or mac's open directory utility doesn't support trusts like we would
think it should.

OpenDirectory only looks into a single LDAP server. FreeIPA LDAP server
does not provide AD users in its own LDAP tree, thus OpenDirectory
cannot see them.

It is working as designed in a sense that OpenDirectory is not supported
for trusted users and never was supported.



Anyone have any suggestions? Or will I have to just connect my mac to
AD and work with it that way? I was trying to avoid having to add to
AD, but it seems like I'm going to have to go that route. Unless anyone
has experience with getting it to work across trusts. From my research
it seems others have tried to solve the 'trust' problem when there's
two AD domains involved, not an IPA and AD domain. So it seems like a
mac specific problem perhaps.

Yes, just connect to AD. We don't have much support for macOS in the
trust to AD space.
--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org